CVE-2025-64170: 
Rust 脆弱性の分析と軽減

CVE-2025-64170 affects sudo-rs, a Rust-based implementation of sudo and su. The vulnerability was discovered and reported by DevLaTron, and was disclosed on November 11, 2025. The issue affects sudo-rs versions from 0.2.7 and was patched in version 0.2.10 (GitHub Advisory).

The vulnerability occurs when typing partial passwords without pressing return for an extended period, triggering a password timeout. When the timeout occurs, the previously typed keys are inadvertently replayed onto the console. The vulnerability has been assigned a CVSS v3.1 score of 3.8 (Low) with the vector string CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N. The issue is classified as CWE-549 (Missing Password Field Masking) (GitHub Advisory).

The vulnerability could reveal partial password information, which may be captured in history files or displayed on screen. This exposure could be exploited for Social Engineering or Pass-By attacks, potentially compromising system security (GitHub Advisory).

The vulnerability has been patched in sudo-rs version 0.2.10. Ubuntu has released security update USN-7867-1 with version 0.2.8-1ubuntu5.2 for Ubuntu 25.10 (questing). Debian has also addressed the issue with version 0.2.5-5+deb13u1 for trixie (security) and version 0.2.10-1 for forky and sid releases (Ubuntu Notice, Debian Tracker).